Post navigation

A researcher at the Defense in Depth blog has discovered a flaw in Apple’s recently released operating system, OS X 10.7 (Lion), which allows passwords to be changed without knowledge of the logged in user’s password.

The flaw appears related to Apple’s move towards a local directory service which has permissions set in an insecure manner.

An attacker who has access to a logged in Mac (locally, over VNC/RDC, SSH, etc) is able to change the currently logged in user’s password without knowing the existing password as would normally be required:

This is particularly dangerous if you are using Apple’s new FileVault 2 disk encryption. If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data.

Thanks for this info. I just got a security update from Apple, wonder if that fixed this issue. On another, related note, I was given an Apple G4 Desktop system earlier this year and unfortunately the person who gave it to me couldn’t remember the password they used. So, in order to reset it I had to do the following (which worked like a champ):

1. Reboot into single user mode (at boot, when you see the grey screen, hit Command-s)
2. At the prompt, type the following:

fsck -fy
mount -uw /
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
3. Next you need the user name of the id you want to change the passed for. Don’t know it? Use ‘ls /Users’ to find it.
4. Execute the following:

dscl . -passwd /Users/
5. Reboot

That’s it. On OSx 10.4/10.5 that would work, and you didn’t even need the OSx disc. I haven’t tried it yet on Lion to see if it would work or not, but it is definitely scary that you don’t need the disc to do that.

Thanks Chet! In all my years of using Macs, I’ve never bothered to look into Keychain Access.app’s preferences. I’ve been writing quick hacks to do what that menu item does for years!

Also, everyone using a Mac may want to mouse on over to the third preferences tab: Certificates. With all the excitement regarding DigiNotar recently, our readers may find it interesting that OCSP and CRL are disabled by default.